Mir

Mir server crashed with SIGSEGV in mir::compositor::TemporaryBuffer::size() called from mir::gl::tessellate_renderable_into_rectangle()

Bug #1664760 reported by Michał Kuchta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mir
Fix Released
High
Michał Kuchta
Mir 0.27.0
0.26
Fix Released
High
Michał Kuchta
Mir 0.26.2
mir (Ubuntu)
Fix Released
High
Unassigned

Bug Description

I run mir exempla:
./bin/mir_demo_server --launch-client ./bin/mir_demo_client_multistrea
mir_demo_server crash when I move central animated object to right border and back.

Cause of crash is to call size() function from invalid pointer in temporaty_buffers.cpp mc::TemporaryBuffer::size() - line: return buffer->size();

I have checked why pointer is invalid:

In function:
std::shared_ptr<mg::Buffer> mc::MultiMonitorArbiter::compositor_acquire(compositor::CompositorID id) from multi_monitor_arbiter.cpp

auto& last_entry = onscreen_buffers.front();
    last_entry.use_count++;
    if (mode == mc::MultiMonitorMode::multi_monitor_sync)
        clean_onscreen_buffers(lk);

last_entry reference pointing not existing object (object is not longer in onscreen_buffers) after calling clean_onscreen_buffers() function.
clean_onscreen_buffers() function looks correct for me - but after calling it, data remains inconsistent.

Tags: regression

Related branches

lp:~kuchtam/mir/Bug_1664760
Mir CI Bot: Approve (continuous-integration)
Daniel van Vugt: Approve
Diff: 43 lines (+19/-1)
2 files modified
src/server/compositor/multi_monitor_arbiter.cpp (+2/-1)
tests/unit-tests/compositor/test_multi_monitor_arbiter.cpp (+17/-0)
lp:~mir-team/mir/0.26-old
Rejected for merging into lp:mir/ubuntu
Michał Sawicz: Disapprove
Diff: 13 lines (+6/-0)
1 file modified
debian/changelog (+6/-0)
lp:~ci-train-bot/mir/mir-ubuntu-zesty-2600 (Merged)
lp:~ci-train-bot/mir/mir-ubuntu-zesty-2609
lp:~ci-train-bot/mir/mir-ubuntu-zesty-2683
lp:~ci-train-bot/mir/mir-ubuntu-xenial-2736
lp:~ci-train-bot/mir/mir-ubuntu-yakkety-2783.1
lp:~ci-train-bot/mir/mir-ubuntu-yakkety-2783
lp:~ci-train-bot/mir/mir-ubuntu-artful-2806
lp:~ci-train-bot/mir/mir-ubuntu-zesty-2818
Daniel van Vugt (vanvugt)
Changed in mir:
importance: Undecided → High
status: New → Confirmed
milestone: none → 1.0.0
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Thread 4 "Mir/Comp" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffecac3700 (LWP 11311)]
0x00007ffff5cc0150 in mir::compositor::TemporaryBuffer::size (
    this=0x7fffe80084f0)
    at /home/dan/bzr/mir/trunk/src/server/compositor/temporary_buffers.cpp:60
60 return buffer->size();
(gdb) bt
#0 0x00007ffff5cc0150 in mir::compositor::TemporaryBuffer::size (
    this=0x7fffe80084f0)
    at /home/dan/bzr/mir/trunk/src/server/compositor/temporary_buffers.cpp:60
#1 0x00007ffff5e2d98c in mir::gl::tessellate_renderable_into_rectangle (
    renderable=..., offset=...)
    at /home/dan/bzr/mir/trunk/src/gl/tessellation_helpers.cpp:29
#2 0x00007ffff5e25f8f in mir::renderer::gl::Renderer::tessellate (
    this=0x7fffe80008c0,
    primitives=std::vector of length 1, capacity 1 = {...}, renderable=...)
    at /home/dan/bzr/mir/trunk/src/renderers/gl/renderer.cpp:200
#3 0x00007ffff5e264f4 in mir::renderer::gl::Renderer::draw (
    this=0x7fffe80008c0, renderable=..., prog=...)
    at /home/dan/bzr/mir/trunk/src/renderers/gl/renderer.cpp:253
#4 0x00007ffff5e26182 in mir::renderer::gl::Renderer::render (
    this=0x7fffe80008c0,
    renderables=std::vector of length 4, capacity 4 = {...})
    at /home/dan/bzr/mir/trunk/src/renderers/gl/renderer.cpp:213
#5 0x00007ffff5cbddd8 in mir::compositor::DefaultDisplayBufferCompositor::composite(std::vector<std::shared_ptr<mir::compositor::SceneElement>, std::allocator<std::shared_ptr<mir::compositor::SceneElement> > >&&) (this=0x7fffe8008620,
    scene_elements=<unknown type in /home/dan/bzr/mir/trunk/build/bin/../lib/libmirserver.so.44, CU 0x66b90b, DIE 0x673525>)
    at /home/dan/bzr/mir/trunk/src/server/compositor/default_display_buffer_compositor.cpp:84
#6 0x00007ffff5cc5798 in mir::compositor::CompositingFunctor::operator() (
    this=0x5555559ded70)
    at /home/dan/bzr/mir/trunk/src/server/compositor/multi_threaded_compositor.cpp:141
#7 0x00007ffff5cc8fc0 in std::_Function_handler<void (), std::reference_wrapper<mir::compositor::CompositingFunctor> >::_M_invoke(std::_Any_data const&) (
    __functor=...) at /usr/include/c++/6/functional:1761
#8 0x00007ffff5b6a9f6 in std::function<void ()>::operator()() const (
    this=0x7fffecac2d80) at /usr/include/c++/6/functional:2127

summary: - mir_demo_server – crash
+ mir_demo_server crashed with SIGSEGV in
+ mir::compositor::TemporaryBuffer::size() called from
+ mir::gl::tessellate_renderable_into_rectangle()
Revision history for this message
Daniel van Vugt (vanvugt) wrote : Re: mir_demo_server crashed with SIGSEGV in mir::compositor::TemporaryBuffer::size() called from mir::gl::tessellate_renderable_into_rectangle()

Confirmed using this:
   sudo mir_demo_server --launch-client mir_demo_client_multistream

But this still works:
   sudo mir_proving_server & sleep 2 ; sudo mir_demo_client_multistream

Michał Kuchta (kuchtam)
Changed in mir:
assignee: nobody → Michał Kuchta (kuchtam)
Daniel van Vugt (vanvugt)
Changed in mir:
status: Confirmed → In Progress
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

This bug has apparently been around a while. Seems like it started way back in r2958.

tags: added: regression
Revision history for this message
Mir CI Bot (mir-ci-bot) wrote :

Fix committed into lp:mir at revision None, scheduled for release in mir, milestone 1.0.0

Changed in mir:
status: In Progress → Fix Committed
Daniel van Vugt (vanvugt)
summary: - mir_demo_server crashed with SIGSEGV in
+ Mir server crashed with SIGSEGV in
mir::compositor::TemporaryBuffer::size() called from
mir::gl::tessellate_renderable_into_rectangle()
Changed in mir (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Fix committed to lp:mir/0.26 at revision 4028, scheduled for release in Mir 0.26.2 (if at all)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mir - 0.26.2+17.04.20170322.1-0ubuntu1

---------------
mir (0.26.2+17.04.20170322.1-0ubuntu1) zesty; urgency=medium

  [ Daniel van Vugt ]
  * New upstream release 0.26.2 (https://launchpad.net/mir/+milestone/0.26.2)
    - Bugs fixed:
      . EDID does not change when hotplugging a monitor (LP: #1660017)
      . [regression] mirout crashes when connecting to unity8 or any nested
        server: [libprotobuf FATAL /usr/include/google/protobuf/repeated_field.
        h:1408] CHECK failed: (index) < (current_size_) (LP: #1661163)
      . Mir server crashed with SIGSEGV in
        mir::compositor::TemporaryBuffer::size() called from
        mir::gl::tessellate_renderable_into_rectangle() (LP: #1664760)
      . Nested servers (Unity8) periodically stutter (half frame rate) with
        Mir 0.26.1 (LP: #1666372)
      . Don't dereference the end iterator in ms::ApplicationSession::
        surface_after() (LP: #1667645)
      . [regression] OSK input shaping no longer works correctly (LP: #1669444)
      . Setting MirWindowSpec parameters always causes window's input_region
        to be reset (LP: #1670876)
      . Subpixel order not included in Mir display information (LP: #1393578)
      . Presentation chains should support various swap interval modes
        (LP: #1673533)
      . Need an extension for GBM buffers to replace
        mir_buffer_get_buffer_package() (LP: #1673534)
      . Seg fault on detect_fd_leaks (LP: #1661498)

 -- Cemil Azizoglu <email address hidden> Wed, 22 Mar 2017 04:54:19 +0000

Changed in mir (Ubuntu):
status: Triaged → Fix Released
Daniel van Vugt (vanvugt)
Changed in mir:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.